GoFuckYourself.com - Adult Webmaster Forum - View Single Post

AgentCash · 10-21-2006, 10:29 PM

The main risk with standard .htaccess password protection is from cracking. Next up with both cookies & query sting session variables would be XSS (cross-site scripting) & ref logging allowing an attacker to steal a session. You can't bind the session to the IP address as an IP address can change during a session.

I would use a form based login, with a captcha if crackers were hitting the site. Maybe bind the useragent to the session & if I was really paranoid make all internal links POSTed form based submits.

That's off the top of my head, and I'm pretty tired, but at a glance it seems that would be pretty secure.

10-21-2006, 10:29 PM
AgentCash Confirmed User Join Date: Feb 2002 Posts: 720	The main risk with standard .htaccess password protection is from cracking. Next up with both cookies & query sting session variables would be XSS (cross-site scripting) & ref logging allowing an attacker to steal a session. You can't bind the session to the IP address as an IP address can change during a session. I would use a form based login, with a captcha if crackers were hitting the site. Maybe bind the useragent to the session & if I was really paranoid make all internal links POSTed form based submits. That's off the top of my head, and I'm pretty tired, but at a glance it seems that would be pretty secure.